Jump to Content
Financial Services

A migration story part 2: How NCR & Opus built better availability and resilience for card management in the cloud

April 5, 2022
https://storage.googleapis.com/gweb-cloudblog-publish/images/2019_financial_9Jee0L2.max-2600x2600.png
Debashis Bhattacharyya

Solutions Architect, Opus Consulting

Charles He

Customer Engineer, Infrastructure, Google Cloud

This is the second part of the blog series that covers the migration story of NCR Corporation’s Card Management solution, Authentic Cards, to Google Cloud. This installment describes the Google Cloud solutions used in the architecture to strengthen the functional and technical capabilities of the product.

We start again by reiterating the fact that migrating legacy systems to the cloud can be challenging for large enterprises, but many companies can benefit by deploying them into the cloud for better performance, scalability, and availability. In this blog we will further explore how NCR and Opus Consulting Solutions designed the cloud solution by choosing the right capabilities available in Google Cloud.

If you want to know more about the product and its high level architecture, we encourage you to read part 1 of this blog series.

Why is it important to choose the right component?

https://storage.googleapis.com/gweb-cloudblog-publish/images/1_NCR__Opus.max-1100x1100.jpg

A software product is defined by the quality of its features, security, availability, its extensibility in the future along with many other factors. Building the right product using modern technologies is one thing, but choosing the right components while keeping in mind the objectives of key stakeholders when deploying a solution to the cloud is another thing and can be a daunting task. Several factors drive the design decisions while building the right architecture for your product in the cloud. Different teams, from banking lines of business, compliance to IT delivery and operations, have varying needs when it comes to how they leverage and manage the technology day to day. Cloud providers offer a wealth of managed services and hence the balance between choosing these services, their benefits, and the associated costs should be taken into consideration by the key stakeholders when making such decisions. Primarily, cloud components are categorized into hardware, virtualization, storage, and network, and should be chosen carefully when designing solutions.  Some major factors taken into consideration are:

  • Current industry standards and future trends

  • Technology and future roadmap of the product

  • Availability, scalability, and regional independence

  • Security of the system, modern day threats and mitigations

  • Data security and governance

  • Data storage needs

  • Manageability of the architecture and the system

  • Contracts, commercials, support, and SLAs

Cloud capabilities

NCR Authentic Cards is built by amalgamating several individual native and custom components in Google Cloud. The entire architecture is designed with a lot of precision keeping in mind the various aspects of the product. The architecture takes a security-first approach and makes use of several managed services provided by Google Cloud for security and better management of resources. Primary infrastructure solutions like Google Kubernetes Engine and Cloud SQL are used to deploy NCR Authentic Card’s business logic and data. Meanwhile, components like Cloud NAT and Cloud Armor provide a security shield for the product.

https://storage.googleapis.com/gweb-cloudblog-publish/images/2_NCR__Opus.max-2000x2000.jpg

Let us look at all these individual components in detail.

Virtual Private Cloud (VPC)

This is the primary component of the architecture, and it acts as the playground for where the whole product and its constituting components can reside and play. It encompasses the product in a private cloud network spanning across multiple regions helping to ensure security from external elements. The components inside the VPC are configured to have only private IPs which ensures that they can only be accessed from within the VPC and are invisible to the outside world. The data inside the VPC is encrypted while in transit, providing further safety of the data flowing through the product. The security of the VPC is further enhanced by applying a set of firewall rules limiting and restricting communication between the components in the VPC.

Cloud NAT

This Google Cloud managed service is a key part of this architecture, restricting access to components behind the gateway with private IPs. Cloud NAT provides network address translation for subnets in the VPC region with a single gateway. In simple words, it lets the internal resources and its components create outbound internet connections when needed for upgrades and other similar necessities. It was carefully chosen during the design phase as a component of this architecture to ensure security to the internal resources of the system.

Google Kubernetes Engine

Google Kubernetes Engine hosts the service code containing the business logic of the product. The software code along with its dependencies, like runtime environment and libraries required to run the code, are packaged in containers and deployed in pods in Google Kubernetes Engine. The product consists of several microservices, all deployed in pods running in nodes (equivalent of a machine). This allows Google Kubernetes Engine to auto scale a service horizontally by deploying the service into more pods based on demand, supporting the application’s ability to handle unprecedented loads and sudden spikes in traffic. The choice of this component can help yield benefits such as efficient usage of resources, reduced support and infrastructure management overhead, and automated deployments. Google Kubernetes Engine can also support the deployment of the application in a regional cluster using namespaces. The regional cluster helps support higher availability even when an entire zone is down or has issues while namespaces  enable multi-tenant cost optimization. The implementation team at NCR and Opus has built CI/CD pipelines to help build, test, and deploy enhancements and upgrades to the product deployed in the GKE cluster.

Cloud SQL

NCR Authentic Cards uses a relational database, Postgres, to store its data. Cloud SQL gives the choice of picking Postgres while availing the other benefits of a managed service database like applying patches and updates, managing backups, and configuring replications. The database is replicated in two zones making it highly available. The choice of zones and regions are configurable and can be made based on the geographical data norms of the customer. It also adds an additional security layer to the product as the data is encrypted and stored in Cloud SQL. The application code connects to the database using SQL Auth proxy, helping to keep the connection secure between itself and the database.

Cloud Memorystore

The actual product design of NCR Authentic Cards included a Redis component for managing cache. This was revised while designing the architecture in Google Cloud and Cloud Memorystore was added in the new Authentic Cards realm replacing Redis. Cloud Memorystore is also a managed service and provides caching capabilities to the product, helping to render faster response time on the services.

Cloud Load Balancing

The services of NCR Authentic Cards are exposed to the customers through Cloud Load Balancing which is a fully distributed, software-defined, and highly scalable managed service provided by Google Cloud.  Cloud Load Balancing helped in deploying the entire product behind one anycast external IP which is called by the customers to avail the services. NCR Authentic Cards can be deployed in multiple regions for failover, availability, and geographical needs behind this single IP. Also, the product and its resources can be auto scaled as required without impacting the customers. Cloud Load Balancing also supports SSL offloading, which means that the incoming SSL traffic from the customers is terminated at the load balancer and not sent as-is to the internal servers, providing an additional layer of security.

Cloud Armor

Cloud Armor is a managed WAF (web application firewall) service in Google Cloud and helps provide DDoS defense, enforce security policies, and mitigate key OWASP-identified risks for your system. This component was added to the design of NCR Authentic Cards and provides two main security features to the product which are as follows:

  • Region based whitelisting which allows only users from a specific geographic region to use the services.

  • Configuring an Allow/Deny list of IP addresses to help ensure the services are accessed by only allowed IP sources.

Apigee

The architecture of NCR Authentic Cards uses Apigee API management as the gateway to handle external traffic. Apigee routes traffic through the load balancer as well but independently authorizes each transaction at its layer using OAuth 2.0 API proxy. Apigee provides full API lifecycle management capabilities that support the always evolving and expanding card services integration ecosystem while offering the option to monetize API products. This allows for the solution to constantly offer new endpoints and a wider set of connectors for internal and external systems. The Authentic Card APIs are mapped to API proxies in Apigee which allows policies to be defined at the proxy level for security and other requirements. The default policy applied to the API proxies is VerifyAccessToken, helping to ensure token authentication for all the APIs. The Apigee architecture for Authentic Cards is depicted in the diagram below.

https://storage.googleapis.com/gweb-cloudblog-publish/images/3_NCR__Opus.max-2000x2000.jpg

Monitoring components

The support, alert, and monitoring system of NCR Authentic Cards, which is a quintessential component of the product, will be discussed in the final edition of this blog series.

Features enriched by the architecture of NCR Authentic Cards

The cloud components used in the design rendered the following features to NCR Authentic Cards:

  • Scalability and availability

  • Security

  • API lifecycle management with potential monetizing capabilities

  • Geographical independence

Modernizing a complex system by choosing the right architecture using native and custom cloud solutions can be challenging. The mix of NCR’s product and domain experience, combined with Opus’ specialized cloud development resources helped deliver an improved card management solution on Google Cloud. Today, NCR Authentic Cards is a validated product in Google Cloud and its services are readily accessible to financial institutions upon onboarding.


About Opus Consulting: Backed by years of experience in building highly innovative payment solutions and products for the digital age, Opus Consulting Solutions is at the forefront of shaping the future of the FinTech and Payments Technology landscape. Opus combines its deep technology proficiency with unmatched domain expertise in Payments and FinTech to deliver quality and value in their work. For more information, visit: https://opusconsulting.com/contact/

About NCR: NCR Corporation is a global enterprise technology provider for software, hardware and services needed to deliver exceptional customer experiences. NCR is a trusted partner for financial institutions looking to transform and align their business across mobile, on-line, ATM and branch. Through innovative solutions to run self-directed banking with the ability to power the end-to-end self-directed infrastructure, NCR solutions connect shared services to help simplify and optimize banking experiences for customer and staff alike, and also extend to integrate and innovate with the broader enterprise and fintech ecosystem. NCR helps clients bridge digital and physical operations so that businesses can connect with consumers anytime, anywhere.

Posted in